Thycotic’s Cyber Security Publication

Let’s Play a Game of Password “Fact or Fiction”

October 26th, 2017

Guest column by SailPoint, the leader in enterprise identity management, brings the Power of Identity to customers around the world. As both an industry pioneer and market leader in identity governance, SailPoint delivers security, operational efficiency and compliance to enterprises with complex IT environments. Author: Darren Rolls

With so much confusion and false advice around password security, it can be hard to sift through the heaps of information to uncover the most effective strategies for password management. In today’s blog, we cut through the noise and talk about what matters most.

Fact or Fiction? Corporate password policies are only necessary to pay attention to for “important” applications like financial applications.

Fiction. Security is all about the principle of the weakest link. An attacker will always go after the lowest rung first since it’s generally the easiest to infiltrate, before moving on from there to higher value targets. While a risk-based approach to security does work, that doesn’t mean you should only focus on those high-risk, high-value applications and leave the low-value areas unprotected – since that’s what attackers will be banking on.

Fact or Fiction? It’s safe to store your passwords in a notebook out of sight of your desk.

Fact. Well… kind of. So, for a SaaS application you’re probably far better off having a complex password on a sticky note than a memorable three-letter password kept in your head. To be clear, I’m not recommending post-it password policies — remember, the insider is our biggest risk and the next insider threat might be your coworker or an office cleaner. But realistically, when the adversary is physically remote, a notebook in a locked desk drawer is a better solution. But more generally it’s truly not in your best interest to write your passwords down where someone could spot them. Instead, consider using an easy-to-remember password scheme, like using the first letter of the words in a phrase or song mixed with the name of the application. These methods may not be the safest methods you can choose from – but overall a complex password that you need to write down to remember is always better than a short password that you won’t forget but is an easy guess or easily crackable.

Fact or Fiction? I can reuse my password if it’s really complex.

Fiction. Don’t reuse passwords. Period. Just look at several recent high-profile breaches to understand why. Following breaches like Dropbox and LinkedIn, hackers were able to reuse the username/password combos taken from those services in order to gain access to accounts on other services – taking advantage of the widespread bad habit of reusing passwords across platforms and applications.

Fact or Fiction? A long password doesn’t have to be complex to be secure.

Fiction. A long password made up of consecutive words that are typically used together is no more secure than the most common singular words used in passwords. As an aside, research shows that “Red” is the most common color used in a password and “Batman” is the most common superhero. These facts contribute to the way hackers crack passwords made up of these commonly-used words. The bad guys use databases of commonly used words and numbers called a Rainbow Table, to cycle through all possible plaintext permutations of encrypted passwords to compare with stolen password hashes. Anything you can think of easily can be effortlessly cracked using this method. When it comes to passwords – complexity and randomness (aka entropy) is quite literally the key; the first letters of a song you like, a usual mix of upper and lowercase letters, mix that with some random numbers and you are good. Remember – if it’s easy to say and remember, it’s almost always a bad password.

Fact or Fiction? Using a password generator ensures a strong password.

Fiction. For the most part, password generators work since they easily create complex and unusual passwords. But remember – when choosing a password generator, make sure it’s provided by a trusted source. Recently, there was a free password generator app offered on iPhone that was analyzed by the security community. It was found that the random number generation scheme used by this app was anything but random. Look for tools that are open source or highly recommended by trusted sources and already being used by security practitioners.

Fact or Fiction? I can use a weaker password if I use multi-factor authentication.

Fact. Again… sort of. It’s all about finding the balance between convenience and control. If you’re using rock-solid multifactor authentication – and it’s deployed properly – then you may still be protected with a password that’s easier to remember. But, why wouldn’t you make sure that everything is strong? A multi-layered approach to security is always a good idea – but why wouldn’t you make each of those layers are as strong as possible? I would say: go for both.

Fact or Fiction? The password is dead.

Fiction. Like I said above – a multi-layered approach to security is always best. Passwords aren’t going away anytime soon, so taking advantage of the full spectrum of password tools and best practices will only benefit you. Use stronger passwords, use layered multifactor authentication and, if you have the budget and the time, use biometrics. Multi-layered security is always in your best interest. But until every application and every system has moved off the password path, it’s critically important that we appropriately manage them.

This Cyber Security Awareness Month, we hope you take the opportunity to reflect on your own password behaviors and take action to nix those bad habits in favor of good password strategies.